Skip to content

fix(paths-ignore): skip vendored-estate clones by default#14

Merged
hyperpolymath merged 3 commits into
mainfrom
fix/paths-ignore-vendored-estate-clones
May 26, 2026
Merged

fix(paths-ignore): skip vendored-estate clones by default#14
hyperpolymath merged 3 commits into
mainfrom
fix/paths-ignore-vendored-estate-clones

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 26, 2026

Summary

Extends the default paths-ignore input to skip absolute-zero/ so that vendored estate-clone subdirectories are not validated by host-repo CI.

Bug class

validate-k9.sh discovers K9 files via find . \( -name '*.k9' -o -name '*.k9.ncl' \) and validates every match. When a host repo contains a tracked subdirectory that is a vendored copy of another hyperpolymath repo (convention: the subdirectory is named after the upstream repo), the validator finds the vendored copy's K9 files and validates them. If the vendored snapshot fails any invariant (e.g. missing K9! magic on line 1, missing pedigree block), the host repo's CI fails on baseline-rot — a defect the host PR did not introduce.

Concrete instance: maa-framework ships absolute-zero/ as a 204-file vendored subtree, including absolute-zero/coordination.k9. That file does not satisfy this validator's invariants in the upstream snapshot, and so every PR opened against maa-framework fails the K9 gate on a file the PR did not touch (see maa-framework#69).

Fix

Add absolute-zero/ to the default paths-ignore list. The validator script already honours the default via newline-split substring match (see validate-k9.sh:37-53, 286-297) so no script change is needed.

The action description for paths-ignore is also updated to document the convention: a tracked subdirectory named after an upstream hyperpolymath repo is a vendored copy whose K9 files belong to the upstream's CI, not the host's.

Conservatism

This PR adds only absolute-zero/ — the one vendored-clone path we have an attested baseline-rot incident for. Additional vendored estate clones will be added as concrete incidents accrue; we are not pre-emptively listing repo names.

Test plan

  • CI green on this PR
  • Re-run maa-framework#69 once consumers pin a tag containing this change; expect the K9 gate to pass on the host PR

Refs: maa-framework#69

@hyperpolymath
fix(paths-ignore): skip absolute-zero/ vendored-estate clones by default
1843bf8 
The validator was finding K9 files inside vendored copies of other
hyperpolymath repos (e.g., maa-framework ships absolute-zero/coordination.k9
as part of a 204-file vendored subtree). The host PR didn't introduce the
state but CI failed on the vendored copy's K9 invariants.

Estate-wide pattern; vendored estate clones are convention-named after the
upstream repo. The minimum needed to unblock the observed cases is
absolute-zero/; add others as we encounter them.

Refs: maa-framework #69 baseline-rot.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 48 issues detected

Severity Count
🔴 Critical 1
🟠 High 17
🟡 Medium 30

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in k9-validate-action: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in k9-validate-action",
    "type": "DependencyPinning",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/code_scanning_alerts/CSA004 -- Hypatia code_scanning_alerts: CSA004 -- 2 day(s) old",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath
chore(hypatia): exempt examples/SafeDOMExample.res from banned-langua…
ca81a47 
…ge gate

standards#168 (merged) consolidated all per-language banned-language
checks into governance-reusable.yml's enforce()/is_exempt() helpers.
The check now finds examples/SafeDOMExample.res — the recurring estate
fixture for safe-DOM ReScript patterns that pre-dates the 2026-04-30
ReScript ban.

Adding .hypatia-ignore exemption (the canonical mechanism per
docs/EXEMPTION-MECHANISMS.adoc) so the gate stops failing while the
affinescript#57 Phase 2 tree-sitter walker sequences the .res→.affine
migration for this fixture.

Refs PR #14 governance / Language / package anti-pattern policy
check.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 48 issues detected

Severity Count
🔴 Critical 1
🟠 High 17
🟡 Medium 30

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in k9-validate-action: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in k9-validate-action",
    "type": "DependencyPinning",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/code_scanning_alerts/CSA004 -- Hypatia code_scanning_alerts: CSA004 -- 2 day(s) old",
    "type": "CSA001",
    "file": "no file associated with this alert",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath
ci(codeql): switch language matrix from javascript-typescript to actions
2a1543e 
The repo ships only YAML + Bash + Markdown (no JS/TS source). The
CodeQL workflow's javascript-typescript matrix entry was failing
on every run with:

    Only found JavaScript or TypeScript files that were empty or
    contained syntax errors.

Switching to language=actions runs the GitHub Actions security
analyzer against the workflow files, which is the actually-relevant
scan for an action repo.

Refs PR #14 analyze (javascript-typescript, none) check.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 26, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Findings: 30 issues detected

Severity Count
🔴 Critical 1
🟠 High 11
🟡 Medium 18

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in k9-validate-action: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in k9-validate-action",
    "type": "DependencyPinning",
    "file": "/home/runner/work/k9-validate-action/k9-validate-action",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/code_safety/shell_download_then_run -- Hypatia code_safety: shell_download_then_run -- 3 day(s) old",
    "type": "CSA001",
    "file": "setup.sh",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD009 -- Hypatia structural_drift: SD009 -- 8 day(s) old",
    "type": "CSA001",
    "file": "src/interface/ffi/src/main.zig",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit c63c6c5 into main May 26, 2026
18 checks passed
@hyperpolymath hyperpolymath deleted the fix/paths-ignore-vendored-estate-clones branch May 26, 2026 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @github-advanced-security